I know that NSXTS and Iodine can be used to bypass a captive portal by taking advantage of permissive DNS firewall rules.

What I have found recently is that simply by using Tor, I can also bypass a captive portal without any need for manually configuring a DNS server under my control. Nor do I have to agree to anything, I can simply browse as though I were connected directly to the internet.

How is this possible, and how would I prevent it when setting up a captive portal?

It depends upon how the portal works. There are many ways of setting up a captive portal -- some easier to bypass than others. While Tor might let you bypass one portal, it by no means lets you bypass all captive portals.
–
D.W.Nov 29 '11 at 22:09

1 Answer
1

curiousguy is correct that Tor doesn't actually obfuscate the protocol other than HTTPS. Of note, however, is that Tor (using something like Tor Browser or Vidalia) does proxy DNS requests through Tor.

Some captive portals work only by redirecting default DNS to a login portal. If this is the case, the combination of encrypted communication and third-party DNS could subvert the captive portal. That said, changing DNS manually to something like 8.8.8.8 (Google public DNS) and browsing HTTPS pages, using a VPN, SSH tunnel, etc, would also subvert this portal.

Tor isn't doing anything on the protocol level to fool a captive portal, but it's certainly possible that when used in the way you describe that it could allow a way out of the walled garden.

how would I prevent it when setting up a captive portal?

Most captive portals will not be vulnerable to this type of attack. All you need to do is successfully block all egress requests other than HTTP, which is forwarded to the portal login page; basically, nothing should get through the portal unless it's an authenticated client.

Hi dshaw, thanks for the answer. Just a side question as I don't want to ask another, but I note that on captive portals even where changing DNS doesn't bypass the portal that skype will still connect, as will my gmail app on my phone. How is this possible?
–
Sonny OrdellNov 30 '11 at 14:56

Again, this is certainly a misconfiguration on the captive portal. It could be that on portals like those that DNS is correctly filtered, but Skype and Gmail apps use hard-coded IP addresses. Or maybe they are just connecting over 3G/data!
–
dshawNov 30 '11 at 17:58

"Some captive portals work only by redirecting default DNS to a login portal." so the portal gives incorrect DNS answers? with a small TTL?
–
curiousguyDec 2 '11 at 12:08